Phishing Scams Increase 180% in April Alone!

And a new spoofing technique could easily trick your customers

by Patricia Schoepke and George Milner

The Anti-Phishing Working Group (APWG) received reports of more than 1,125 unique phishing campaigns in April. And this follows a 43% rise in this crime between February and March. The most telling statistic is that 15 of the top 20 targets are financial services firms. Looking at this information on a weekly basis shows a couple of weeks that averaged almost 40 attacks per day, and weekly volumes consistently over 200 attacks per week. The change is even more dramatic when you compare the statistics month to month. It's critical that you proactively protect your customers before rampant phisherman bait them into revealing personal information.


Source: Phishing Attack Trends Report, April, 2004

Look at the month-to-month trends. Barclay's had 11 attacks in March and 31 in April. That's nearly a 3-fold increase. And look at US Bank. The 4 attacks they were subject to in March must seem mild compared to the 64 they suffered in April.

What does this mean?

• Even if you've never been attacked, now is the time to educate your customers and set up a response plan.
• If you have been attacked, even if it's only happened once, protective measures are essential, and, in view of the trends shown in this report of repeat attacks, you should prepare for a potential onslaught of additional phishing activity.
• If you have not yet taken proactive steps to protect your customers, now is the time to do so!

And it Gets Worse
The April report from the Anti-Phishing Working Group, released on May 24, 2004, contains a special alert. Firms are warned that documented attacks have involved the use of a 'floating' window that spoofs the URL in the address bar of the user's browser. Javascript is used to create a window containing a URL that appears to reflect a valid, secure page on the financial firm's web site.

So What Can be Done?
With the statistics showing almost a 200% rise in one month, there's an increasing urgency to solve the phishing problem. What is driving it, of course, is that the financial firms and retailers are getting nailed.

Educate your Customers!
Let your customers know how you will communicate with them and tell them to be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed. If it is not, you can't be sure it wasn't forged or 'spoofed'.

Here are a few things to look out for:

• Phishers use upsetting or exciting (but false) statements in their subject lines to get people to react immediately.
• Phishers typically ask for information such as user names, passwords, credit card numbers, social security numbers, all the while NOT being personalized, while valid messages from your bank or e-commerce company will be.
• Do not fill out forms in email messages that ask for personal financial information. You should never communicate information such as credit card numbers or account information unless you see the icon of a padlock, denoting a secure web site. The beginning of the Web address in your browsers address bar should be "https://" rather than just "http://"
• Provide 24/7 access and or staff so that your customers can check with you as to the accuracy of any suspicious email they might receive.

See What Others Are Doing:
Here are some links to a few financial firms that have taken positive and public steps to educate their customers by posting information and providing details about how to report phishing attacks:

• On the Wells Fargo web site, note that this bank has an entire page devoted to reporting fraud and protecting your account, including a phone number to an Online Fraud Prevention Hotline, which is available to customers 24 hours a day, 7 days a week.
• In the upper left hand corner of the Chase web site, there is a Customer Alert link, which lists all the most recent emails that have been received and reported by Chase customers.
• Citibank's Security page has extensive information about detecting fraudulent emails and information about what to do if you are a victim of phishers.

Where to report "phishing" or "spoofed" e-mails:
Forward the email you received to:

• reportphishing@antiphishing.com
• The Federal Trade Commission at uce@ftc.gov
• The "abuse" email address at the company that is being spoofed (e.g., "spoof@citibank.com") when forwarding spoofed messages, always include the entire original email with its original header information intact

Related Links:
Information and References: The Anti-Phishing Working Group: Anti-phishing.org

With special thanks to Dan Maier of Tumbleweed Communications for his assistance in providing access to the Phishing Attacks Trends Report for April 2004.

Email from IRS? Nope, Just More Phishing by Mary Beth Guard, BOL Guru

Library of Spoof Email Hoax Scams and Fake Web Pages: MillerSmiles.co.uk

The Industry Standard: Phishing Scams Skyrocket in April

First published on BankersOnline.com 5/24/04